CVE-2025-29824 | Windows | LPE
| Vulnerability | CVE-2025-29824 |
|---|---|
| Type | Use-after-free (UAF) in the Windows Common Log File System (CLFS) kernel driver (clsfs.sys) |
| Description | A logic error around CLFS handle cleanup lets an attacker who already has local code execution trigger a UAF and corrupt kernel memory, then flip process token privileges to SYSTEM. Observed in the wild chained with the PipeMagic backdoor in ransomware operations. |
| Affected Systems | Microsoft Windows client and server releases prior to the April 8, 2025 security updates, including Windows 10 (21H2/22H2), Windows 11 (22H2/24H2), and Windows Server 2008 -> 2025 . Windows 11 24H2 had the vulnerability but the observed exploit path failed there due to NtQuerySystemInformation restrictions without SeDebugPrivilege. |
| Attack Vector | Local post-compromise EoP. Exploit runs from a user process (seen ITW launched from dllhost.exe) after initial access; no user interaction required. The ITW chain used PipeMagic to stage and invoke the CLFS exploit. |
| Exploit Mechanism | Trigger UAF during IRP_MJ_CLEANUP/IRP_MJ_CLOSE sequencing: free a CLFS CClfsLogCcb object during cleanup while another I/O path still references it, then re-use it to gain arbitrary kernel write influence and call RtlSetAllBits to set all token privileges (0xFFFFFFFF) → inject into SYSTEM processes. In practise the memory is freed via LookasideList (depth 24) by opening ≥25 descriptors for the same log file, then close 24 to fill the List, Finally trigger the exploit using the remaining handle. |
| Impact of the Bug | Privilege escalation to SYSTEM, followed by credential theft (LSASS dump) and rapid ransomware deployment (observed with RansomEXX). |
| Detection Techniques | - Creation of unknown log files with the extension .blf - Investigate any post-exploitation activity related to obtaining LSASS memory using procdump as seen in-the-wild. |
| IOCs Related to Exploitation | - Presence of unfamiliar .blf log file on the host (ITW example: C:\ProgramData\SkyPDF\PDUDrv.blf ). - Unusual process/command on the host (ITW example: $system32\dllhost.exe -accepteula -r -ma lsass.exe $appdata\FoMJoEqdWg) - Unusual network traffic patterns originating from the host (ITW example: hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com). |
| Mitigation Steps | Patch immediately: apply April 8, 2025 Microsoft updates for all affected Windows versions. |
| References | - NVD Entry for CVE-2025-29824 - Exploitation of CLFS zero-day leads to ransomware activity - Evolution of the PipeMagic backdoor - Dissecting PipeMagic - Deep dive into CVE‑2025‑29824 |